Judge’s restraining order takes botnet C&C system offline

Microsoft has disrupted a large spam network with a restraining order that has …

Botnets—large networks of malware-infected PCs remotely controlled by criminals—are a serious problem on the Internet. The spam, phishing attacks, and malware that these networks send accounts for a massive proportion, in excess of 80 percent, of e-mail traffic. One such network, known as Waledac, has been stopped in its tracks after Microsoft got a court to issue a secret temporary restraining order. The restraining order took 277 domain names used by the criminals to communicate with the botnet offline. Without these domain names, it is hoped that the controllers of the botnet will permanently lose access to the machines running their malware.

The Waledac botnet is presumed to be run by Eastern Europeans and to be made up of hundreds of thousands of compromised machines. It sends hundreds of millions, if not billions, of e-mails each day, as well as distributes malware to help recruit new machines to the network. Microsoft's complaint describes in detail how the botnet is organized, with a complex hierarchical control system. At the root of the system is the command-and-control servers. The botnet uses the 277 domain names to connect to the command and control servers to download new commands. These commands are then distributed through the different tiers of the network using peer-to-peer transmission.

By obtaining the restraining order, this command-and-control system was disrupted; with the domain names offline, the machines in the botnet were no longer able to locate their control servers, rendering them mostly harmless. The court action had to be taken in secret to avoid warning the botnet's operators; with sufficient warning, they might have been able to set up new domain names and new control systems, thereby circumventing Microsoft's efforts. The names have now been offline for three days, presumably sufficient to cause permanent disruption, and the injunction is now public.

Similar action against past botnets has been attempted by security researchers before, but the results were only temporary as new command and control servers were set up. Microsoft's intent is for this action to be more permanent. "Operation b49," as Redmond has called it internally, still has further work to do to ensure that the peer-to-peer communication between computers in the botnet is disrupted.

This is critical if the mission is to be successful; the company notes that the operation is not a "silver bullet," as it does not remove the malware from the infected PCs. Though the operation has taken them out of the hands of the hackers, they are still infected, and are still trying to contact the control system. The ultimate solution is for those with infected PCs to ensure that they are patched and have the malware removed as soon as possible.

Even if Operation b49 is ultimately successful and the Waledac network is taken offline, it unfortunately generates only a small fraction of the spam sent each day. Microsoft insists that this will not be the last such action, and that we should "stay tuned" for more. The botnets have had the upper hand for many years now; if this action has lasting success, it could be the first real step in the fight against spam.

This is fantastic. Far from being "solved", spam remains a huge problem to anyone running a mail server. The filters are very good now, but there are still inevitable false positives. Until we move to a protected mail delivery model at least taking the worst of the spammers offline will provide some relief.

Hang on - how does this stop the botnet? From a few other networks I've read about, particularly those compromised by researchers, they'll just generate new possible domains to register and contact in a while and, providing the botnet controllers register those domains, the CnC servers will be back up.

Unless Microsoft just took down an entire "evil-friendly" network provider?

Originally posted by darkowl:Hang on - how does this stop the botnet? From a few other networks I've read about, particularly those compromised by researchers, they'll just generate new possible domains to register and contact in a while and, providing the botnet controllers register those domains, the CnC servers will be back up.

Unless Microsoft just took down an entire "evil-friendly" network provider?

It does not stop the actual infected computers. However, provided Microsoft got all of the control servers which the bots respond to, the bots will be unable to get new instructions or commands from the spammers/hackers.

Basically, the addresses for the control servers are hard coded into the malware, so if you remove all the control servers, there will be no way to control/update/change the malware.

The code on this botnet may not be enough for the bots to find a new domain once they're cut off from the 277 domains they use.

However that's the next escalation in the malware wars. The bot creators can program in the ability to seek out new domains that don't exist in their list. Maybe based off some algorithm that auto generates domain names the bots can search for new domains if the 277 they have are gone. Even if their code is dissected and the list found they will always seek new domains.

Then when the hackers realize their bot's domains are gone they run the same algorithm to see what domains they need to create, then wait for the bots to find them again. Once they reconnect they can send out a new list of domains and bypass the 277 dead domains.

Then when the hackers realize their bot's domains are gone they run the same algorithm to see what domains they need to create, then wait for the bots to find them again. Once they reconnect they can send out a new list of domains and bypass the 277 dead domains.

So Microsoft will run the algorithm themselves, pre-emptively register the next upcoming domain, use another secret injuction to make the bots switch over to it, take direct control of the entire network, and order it to delete itself or at least stop looking for other control domains. It's the DRM situation with good and evil reversed- once a security team has a copy of the malware in the lab, they can go through the code until they find a critical hardcoded bit they can disrupt, which there always will be because of how the internet works. It'll always be a game of cat and mouse, but it's nice to see one of the good guys (in this sphere, at least) being proactive.

Thank god Macs don't run malware jk. but seriously, how many of these people need to update their machines but probably were too lazy to even reboot? i mean, even people that don't have malware are still annoyed at the number of spam. Someone should just fine those people who don't have machines updated, it would do the world a favor. Meanwhile, Microsoft should make its OS less like swiss cheese and more like a brick wall.

Wishful thinking, here, because I know that this would be tremendously expensive and time consuming, and would piss a lot of people off, but I'm gonna toss it out there anyway ...

While taking out the 277 domains is great, this would have been better: get the courts to allow "secret" authoritative "DNS Seizure" for the domains. Set up honeypots at the (new) addresses, redirect the domains to those new servers, emulate botnet C&C server behavior to a reasonable degree, and then start capturing bot addresses. For every system or network that contacts the faux C&C, a notice goes out to an ISP, domain registrar, whois contact, etc.

Originally posted by Have Blue:So Microsoft will run the algorithm themselves, pre-emptively register the next upcoming domain, use another secret injuction to make the bots switch over to it, take direct control of the entire network, and order it to delete itself or at least stop looking for other control domains.

This was tried with the Mebroot / Torpig botnets though IIRC - and the response of the botnet controllers was to seed an absolutely ridiculously impractical number of possible domains - so that the costs involved in blanketing the lot would be absolutely astronomical.

Why doesn't MS just take control of the address itself rather than just shutting it down. Something like a reprogram and delete counter to when the botnet drones try to contact the hive(s) for instructions? It seems to me that this tactic that they just used could only work temporarily at best with the next program from the hives instructing multiple domains in the event that one or a hundred are in the process of being shut down..?

I think the only real recourse here is to "hack the hacker" by having a machine join the botnet and send commands to move the control to servers they can't reach. I bet some botnets even have a killswitch which a rogue (but in this case good) bot could delete the entire network. I only think the killswitch theory is probably true because it is what I'd do. If the cops were on to me I'd want a back door in place to take down and delete every trace of infection and communication.

Originally posted by wordsworm:Why doesn't MS just take control of the address itself rather than just shutting it down. Something like a reprogram and delete counter to when the botnet drones try to contact the hive(s) for instructions? It seems to me that this tactic that they just used could only work temporarily at best with the next program from the hives instructing multiple domains in the event that one or a hundred are in the process of being shut down..?

Despite what would appear to be good intentions, to do such a thing would probably also be a crime. The most they could probably get away with legally is to send a notification to the affected computer.

Not to mention the shitstorm they'd find themselves in if the removal instructions they sent to the botnet did not work quite right, and maybe ended up wrecking some computers...

Originally posted by wordsworm:Why doesn't MS just take control of the address itself rather than just shutting it down. Something like a reprogram and delete counter to when the botnet drones try to contact the hive(s) for instructions? It seems to me that this tactic that they just used could only work temporarily at best with the next program from the hives instructing multiple domains in the event that one or a hundred are in the process of being shut down..?

Despite what would appear to be good intentions, to do such a thing would probably also be a crime. The most they could probably get away with legally is to send a notification to the affected computer.

Not to mention the shitstorm they'd find themselves in if the removal instructions they sent to the botnet did not work quite right, and maybe ended up wrecking some computers...

Surely some legal framework could be created, authorized by the government. I agree that it probably wouldn't be legal to do it at this moment. Perhaps send notification and a click-button method of getting rid of the worm? I don't know, as I'm no expert. However, it seems to me that there could be a better way of dealing with this rather than just taking the hives' addresses offline.

Originally posted by dtarsky:Sounds good, but what if the bots are connecting to static IPs?

I think the only real recourse here is to "hack the hacker" by having a machine join the botnet and send commands to move the control to servers they can't reach. I bet some botnets even have a killswitch which a rogue (but in this case good) bot could delete the entire network. I only think the killswitch theory is probably true because it is what I'd do. If the cops were on to me I'd want a back door in place to take down and delete every trace of infection and communication.

When I did telemarketing prior to getting a degree and taking up teaching, the firm gave substantial funds to the police organizations. Needless to say, there was nothing there when the police came to raid the place. No offence to the honest cops out there, but there's definitely an element of bad apples at the core of every police force, and probably more where there's no measures to route and eliminate corruption (we lack such protections in Canada). In other words, the botnet owners likely would get a phone call before the door got busted in to give them time to get out.

What a joke. If msft were serious about controlling malware-related crime, they wouldn't be the #1 provider of bullet-proof mailboxes for the Nigerian fraud syndicate. Count the number of spams in your folder with "Reply-to: random@qatar.io" in the headers. Now look up the MX record for the qatar.io domain. (It's Hotmail.)Now try to get report_spam@hotmail.com (or any other MSFT address) to accept a spam report about one of those spam messages.You'll get their automatically generated boilerplate, "Unfortunately, we need an MSN-hosted domain or we can't do anything..." This has been broken for almost a year. MSFT knows it. They don't give a damn.So their botnet court order doesn't prove a thing.

When was the last time you saw an Outblaze (mail.com etc) hosted Reply-To in a fraud spam?Outblaze runs its own traps. That's expensive. MSFT has more money than god, but they wait for volunteers to report hotmail spammer mailboxes, and they don't even enforce their rules on pamx1 domains like qatar.io.

In the last two weeks, I've got western_union2009@qatar.io, money_gram_transfer@qatar.io, exxonmobilegas@qatar.io, eco@qatar.io, dozens more. How hard are those to find, MSFT?

Originally posted by wordsworm:Why doesn't MS just take control of the address itself rather than just shutting it down. Something like a reprogram and delete counter to when the botnet drones try to contact the hive(s) for instructions? It seems to me that this tactic that they just used could only work temporarily at best with the next program from the hives instructing multiple domains in the event that one or a hundred are in the process of being shut down..?

Despite what would appear to be good intentions, to do such a thing would probably also be a crime. The most they could probably get away with legally is to send a notification to the affected computer.

Not to mention the shitstorm they'd find themselves in if the removal instructions they sent to the botnet did not work quite right, and maybe ended up wrecking some computers...

Surely some legal framework could be created, authorized by the government. I agree that it probably wouldn't be legal to do it at this moment. Perhaps send notification and a click-button method of getting rid of the worm? I don't know, as I'm no expert. However, it seems to me that there could be a better way of dealing with this rather than just taking the hives' addresses offline.

The main thing that the community can benefit from this is a legal procedure that implicates who ever is doing this and from there laying the groundwork for future cases to go smoother. I mean every court order regarding botnets will go that much faster and hopefully the people running them will run stiffer penalties.

So I actually went and read through the legal document. It looks like it only worked because all the domains were .com and they could all be taken down at Verisign. That's why this was filed in Virginia, it's the legal location of Verisign. You can bet that this won't work next time, as everybody will be adding not just multiple domains, but multiple registries. It would only take one or two .co.uk or .co.it to avoid this particular peril. Sure, you could file lawsuits in each country, but that would significantly add to the level of effort required and the time required to take all the domains down. If only one of the domains stayed up for an extra day or so the bot-herders could push out an update that would sidestep the entire operation.

Originally posted by dischord:In the last two weeks, I've got western_union2009@qatar.io, money_gram_transfer@qatar.io, exxonmobilegas@qatar.io, eco@qatar.io, dozens more. How hard are those to find, MSFT?